diff options
| author | Marc Cornellà <hello@mcornella.com> | 2021-11-09 09:54:21 +0100 |
|---|---|---|
| committer | Marc Cornellà <hello@mcornella.com> | 2021-11-11 22:45:40 +0100 |
| commit | b3ba9978cc42a5031c7b68e3cf917ec2e64643bc (patch) | |
| tree | 2f5694f3958a058519e25423f50a3b45d1ff1ed8 /themes/refined.zsh-theme | |
| parent | 72928432f1ddaa244e02067dd7fc14948a4a5ce4 (diff) | |
| download | zsh-b3ba9978cc42a5031c7b68e3cf917ec2e64643bc.tar.gz zsh-b3ba9978cc42a5031c7b68e3cf917ec2e64643bc.tar.bz2 zsh-b3ba9978cc42a5031c7b68e3cf917ec2e64643bc.zip | |
fix(themes): fix potential command injection in `pygmalion`, `pygmalion-virtualenv` and `refined`
The pygmalion and pygmalion-virtualenv themes unsafely handle git prompt information
which results in a double evaluation of this information, so a malicious git repository
could trigger a command injection if the user cloned and entered the repository.
A similar method could be used in the refined theme. All themes have been patched against this
vulnerability.
Diffstat (limited to 'themes/refined.zsh-theme')
| -rw-r--r-- | themes/refined.zsh-theme | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/themes/refined.zsh-theme b/themes/refined.zsh-theme index 5d39bd757..5e2de7a87 100644 --- a/themes/refined.zsh-theme +++ b/themes/refined.zsh-theme @@ -70,6 +70,7 @@ preexec() { # Output additional information about paths, repos and exec time # precmd() { + setopt localoptions nopromptsubst vcs_info # Get version control info before we start outputting stuff print -P "\n$(repo_information) %F{yellow}$(cmd_exec_time)%f" unset cmd_timestamp #Reset cmd exec time. |